Identity is the latest battlefield in cybersecurity, and credentials are prime targets for sophisticated threat actors armed with AI.
Cybercriminals have even developed autonomous attack frameworks that operate without human direction, and are using sentiment analysis to craft highly targeted spear-phishing campaigns. What’s more, AI is enabling more persistent, adaptive and scalable attacks, forcing security teams to defend against a wider range of threats at speed.
“Cybercriminals are weaponising generative AI for more convincing social engineering and using AI to identify attack paths through complex systems,” says Dmitry Smilyanets, a senior director, product management and engineering at cybersecurity company Recorded Future.
In today’s threat landscape, identity is the primary target
“The attack timeline has become significantly shorter, with techniques that previously took months to develop now emerging in weeks or days,” says Smilyanets. “The velocity of modern attacks also frequently outpaces humans’ response capabilities, with automated attack tools able to compromise systems and spread laterally within minutes of gaining initial access.”
Organisations using extensive software-as-a-service applications and digital identities are particularly vulnerable, as the expanded attack surface of these platforms provide threat actors with more opportunities to exploit identity weaknesses than ever before.
“As organisations grow their digital presence, they effectively increase the perimeter they must defend, creating more potential entry points for attackers,” Smilyanets explains. “Many organisations struggle with visibility challenges, unable to track all their digital assets – and as security professionals often note, you cannot protect what you don’t know exists.”
The volume of exposed credentials has reached unprecedented levels, with credential theft per device rising 25% since 2021, according to Recorded Future’s 2024 State of Threat Intelligence report. “Some organisations discovered more than 100,000 exposed credentials in our assessment – that makes manual remediation virtually impossible.”
Last year, approximately 77% of web-application breaches involved stolen credentials, according to the 2024 Verizon Data Breach Investigations report. Traditional security tools often fail to stop identity-based attacks because they’re designed to detect anomalies rather than valid credentials being misused. Even sophisticated behavioural-analysis tools struggle initially, as attackers using legitimate credentials can mimic normal user-behaviour patterns.
Recorded Future’s research has also identified significant growth in supply chain credential compromises, where attackers target third-party service providers to gain access to multiple downstream organisations simultaneously. “A single compromised vendor led to data exposure across dozens of enterprise customers in several cases we analysed,” says Smilyanets.
Sophisticated cyber attacks
No organisation is immune to these threats, which can cause tremendous damage. In February 2025, the GrubHub data breach exposed millions of customers’ and drivers’ identities. Attackers claimed to have stolen 70 million lines of data, including millions of hashed passwords, phone numbers and email addresses.
The intrusion was traced to a third-party service provider, which the threat actors used to access the contact information of campus diners, merchants and drivers who had interacted with customer-care services. “The attackers demonstrated sophisticated targeting by exploiting third-party partnerships and creating a domino effect where a single compromised vendor impacted an entire ecosystem,” says Smilyanets.
“Security experts noted the attackers likely used AI-driven tools to analyse the network for vulnerabilities and automate data exfiltration, enabling them to access and harvest millions of identity records with minimal human intervention.”
Recent breaches at Snowflake and Change Healthcare also revealed another new pattern: attackers using so-called infostealer malware to obtain credentials and bypass protections such as single sign-on (SSO).
Infostealer malware uses a multi-stage process that helps to circumvent modern security measures. “Initial infection typically occurs through phishing, malicious advertisements or compromised websites, followed by establishing persistence on infected systems,” Smilyanets explains.
The malware then harvests credentials from multiple sources, including web browsers. “What makes infostealers especially dangerous is their ability to bypass SSO and multi-factor authentication by capturing authentication tokens and cookies rather than just passwords, and stealing browser session data that contains active, authenticated sessions,” says Smilyanets.
Modern infostealers, such as Redline, Raccoon and Vidar, can even extract complete digital identities rather than just passwords, allowing attackers to fully impersonate legitimate users with all their authentication factors.
Another element that makes modern identity attacks particularly devastating is the criminal infrastructure supporting them. Initial-access brokers specifically sell authenticated access to corporate networks, and ransomware-as-a-service platforms have lowered the technical barriers for attacks. Communication channels such as Telegram and Discord also facilitate the trading of compromised accounts, while forums provide technical support and tutorials for using stolen credentials effectively.
“The criminal underground has evolved into a sophisticated ecosystem for credential trafficking and malware distribution,” says Smilyanets. “Specialised marketplaces offer categorised, searchable databases of stolen credentials, while subscription-based services provide continuous access to newly compromised data.”
Proactive security
All of these evolving threats demand a shift from reactive, perimeter-based security models to proactive detection of credential exposures before exploitation. Identifying compromised credentials in the early stages, especially if they are legitimate credentials, enables organisations to promptly reset passwords, implement additional authentication measures or place heightened monitoring on affected accounts.
“This creates a critical time advantage, allowing security teams to neutralise the threat while attackers are still in the reconnaissance and preparation phases,” says Smilyanets. “Early detection essentially transforms a high-risk situation with minimal security visibility into a containable event where defenders have the upper hand.”
AI is enabling more persistent, adaptive and scalable attacks
Recorded Future’s identity intelligence solution leverages advanced AI and machine learning to provide organisations with preemptive detection of compromised credentials before attackers can weaponise them. “Our platform collects and analyses exposed credentials in near real-time across an unmatched breadth of sources – including dark-web forums, paste sites, criminal marketplaces and botnet infrastructure – which traditional security tools do not have access to,” says Smilyanets.
It also creates connections between compromised identities, threat actors and attack patterns that would be impossible to detect manually, providing critical context about the threat actors involved, their typical attack patterns and the likely timeline for exploitation. This enables security teams to understand not just which credentials are exposed, but which ones present the most immediate risk.
“We assign risk scores to entities such as IP addresses, using both rule-based and machine-learning systems, which helps analysts quickly determine which threats require immediate attention,” says Smilyanets. “This scoring mechanism is critical for helping security teams focus on the most critical exposures rather than drowning in alerts.”
An API-driven architecture also enables fully automated security workflows. This means security teams can automatically determine whether exposed credentials belong to their organisation and whether they’re still active, identify the specific users affected and initiate password resets without manual intervention. This can reduce remediation time from days to minutes, and help to scale up protection as credential exposures grow.
Ultimately, Smilyanets concludes: “Proactive AI-driven identity intelligence provides the visibility, context and response capabilities needed to address the central role identities play in modern security architectures, making it not just beneficial, but necessary for contemporary cybersecurity strategies.”
In today’s threat landscape, identity is the primary target. Traditional defences can’t keep up, so organisations need AI-driven identity intelligence to gain visibility, prioritise risks and respond quickly.
For more information please visit recordedfuture.com
Identity is the latest battlefield in cybersecurity, and credentials are prime targets for sophisticated threat actors armed with AI.
Cybercriminals have even developed autonomous attack frameworks that operate without human direction, and are using sentiment analysis to craft highly targeted spear-phishing campaigns. What’s more, AI is enabling more persistent, adaptive and scalable attacks, forcing security teams to defend against a wider range of threats at speed.
“Cybercriminals are weaponising generative AI for more convincing social engineering and using AI to identify attack paths through complex systems,” says Dmitry Smilyanets, a senior director, product management and engineering at cybersecurity company Recorded Future.
